For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

f5

238 Topics

WAFaaS with SSL Orchestrator
Introduction Note: This article applies to SSL Orchestrator versions prior to 11.0. If using version 11.0 refer to the article HERE This use case allows you to insert F5 WAF functionality as a Service in the SSL Orchestrator inspection zone. WAFaaS is the ability to insert ASM profiles into the SSL Orchestrator Service Chain for Inbound Topologies. This configuration is specific to a WAF policy running on the SSL Orchestrator device. WAF and SSL Orchestrator consume significant CPU cycles so care should be given when deploying both together. It is also possible to deploy WAF as a service on a separate BIG-IP device, in which case you’d simply configure an inline transparent proxy service. The ability to insert F5’s WAF into the Service Chain presents a significant customer benefit. This guide assumes you already have WAF/ASM profile(s) configured, licensed and provisioned on BIG-IP and wish to add this functionality to an Inbound Topology. In order to run WAF and SSL Orchestrator on the same device you will need an LTM license with SSL Orchestrator as an add-on option. You cannot add a WAF license to an SSL Orchestrator stand-alone license. SSL Orchestrator does not directly support inserting F5 WAF policies into the Service Chain. However, the F5 platform is flexible enough to handle many custom use cases. In this case, the ICAP service configuration exposes a framework that is useful for any number of specialized patterns, including adding a WAF policy to an SSLO service chain. We will configure an ICAP Service and attach the WAF policy to it. Steps: Create ICAP Service Disable Strictness on the Service Disable TCP monitor for the ICAP Pool ICAP Adapt profiles removed from the Virtual Server Application Security Policy enabled and a Policy assigned under Security Step #1: Create ICAP Service Note: These instructions assume an SSL Orchestrator Topology and Service Chain are already deployed and working properly. These instructions simply add WAFaaS to the existing Service Chain. It is entirely possible to create the WAFaaS during the initial Topology creation, in which case you would create the service during the workflow, then make the necessary changes after the topology has been created. From the SSL Orchestrator Guided Configuration click Services then Add Scroll to the bottom, select Generic ICAP Service and click Add Give it a name, WAFaaS in this example For ICAP Devices click Add on the right Enter an IP Address, 198.19.97.1 in this example and click Done. Note: the IP address you use does not have to be the one above. It’s just a local, non-routable address used as a placeholder in the service definition. This IP address will not be used. IP addresses 198.19.97.0 to 198.19.97.255 are owned by network benchmark tests and located in private networks. Scroll to the bottom and click Save & Next. The next screen is the Services Chain List. Click the name of the Service Chain you wish to add WAF functionality to, ssloSC_ServiceChain in this example. Note: The order of the Services in the Selected column is the order in which SSL Orchestrator will pass decrypted data to the device. This can be an important consideration if you want some devices to see, or not see, the actions taken by the WAF Service. Select the WAFaaS Service and click the right arrow to move it to Selected. Click Save. Click Save & Next Click Deploy You should receive a Success message Step #2: Disable Strictness on the Service From the SSL Orchestrator Configuration screen select Services. Click the padlock to Unprotect Configuration. Note: Disabling Strictness on the ICAP Service is needed to modify it and attach the WAFaaS policy. Strictness must remain disabled on this service and disabling strictness on the service has no effect on any other part of the SSL Orchestrator configuration. Click OK to Unprotect the Configuration Step #3: Disable tcp monitor for the ICAP Pool From Local Traffic select Pools > Pool List Select the WAFaaS Pool Under Active Health Monitors select tcp and click >> to move it to Available. This removes the Pool’s Monitor because otherwise it would be marked as down or unavailable. Click Update Note: The Health Monitor needs to be removed because there is no actual ICAP service to monitor. Step #4: ICAP Adapt profiles removed from the Virtual Server From Local Traffic select Virtual Servers > Virtual Server List Locate the WAFaaS ICAP service that ends in “-t-4” virtual server and select it Set the Request Adapt Profile and Response Adapt Profile to None to disable the default ICAP Profiles Click Update Step #5: Application Security Policy enabled and a Policy assigned under Security For the WAFaaS-t-4 Virtual Server click the Security tab Set Application Security Policy to Enabled Select the Security Policy you wish to use. Click Update when done Note: In specific versions of SSL Orchestrator there is one extra configuration item that needs to be modified. This is NOT required in other versions. If this change is made, when performing an upgrade it is not necessarily required to back out this change. Required versions: SSLO version 5.9.15 available on TMOS 14.1.4 SSLO versions 6.0-6.5 available on TMOX 15.0.x Navigate to “Local Traffic ›› Profiles : Other : Service” Select the Service profile named “ssloS_WAFaaS-service” Change the “Type” from “ICAP” to “F5 Module” Conclusion The configuration is now complete. Using the WAFaaS this way is functionally the same as using it by itself. There are no known limitations to this configuration.
KevinGallaugher
Jan 07, 2026 Place Technical Articles
2.8KViews
5likes
9Comments
F5 ASM with fortisandbox
Hi i want to integrate f5 ASM with fortisandbox as a icap server for file upload inspection i found this articale https://support.f5.com/csp/article/K70941653 but Value of virus_header_name for fortisandbox is not mentioned any one has experince of integration with fortisandbox. please let me know if anyone know virus_header_name for fortisandbox
ahmad24954
Sep 03, 2025 Place Technical Forum
1.9KViews
1like
2Comments
F5 Open telemetry issue
Hi all, we have the issue with TS on f5, we installed TS package, set up declaration but when we are checking f5 url/telemetry we dont see atribute which we should see in the attachment you can see the declaration we have used and posted on f5 expecting to see everything, but we see only some basic status, not eg: f5 pool active members, f5 pool availability we dont see any errors in /var/log/restnoded/restnoded.log and when we check url: localhost/mgmt/shared/telemetry/pullconsumer/metrics we see nothing useful. Any help would be appreciated.
Samuel_
Aug 14, 2025 Place Technical Forum
82Views
0likes
1Comment
Exchange cert upgrade on F%
I need help to cert upgrade on f5. I have updated cert on f5 for all the profiles associated with exchange 2019 .but webmail is working fine with new certificate exchange client is not working it is asking for the password.
Qkhan
Jun 22, 2025 Place Technical Forum
132Views
0likes
3Comments
MTLS - How to authenticate a specific certificate
We have a VIP configured on F5 with MTLS. I have used publicly trusted certificates as server and client certificate while configuring MTLS. The behavior, I was expecting is calling application would be authenticated only when exact same client certificate is used which is used from setting up MTLS. Actual Behavior, calling application is able to authenticate with any client certificate, provided it is signed by the same root CA as the client certificate that is used for setting up MTLS. I just wanted to understand if there is a way to get the expected behavior without writing a irule or a policy
Solved
SanalNaroor
May 29, 2025 Place Technical Forum
186Views
0likes
1Comment
F5 License Lifetime
Hello everyone Is there a KB that can provide information about the F5 BIG-IP license lifespan? Best regards
Vic_Romero
May 20, 2025 Place Technical Forum
92Views
0likes
2Comments
[Sharing My Journey: Automating F5 Licensing]
editors note: Moved to Codeshare - Automating F5 Licensing - without direct internet access | DevCentral ---Hello DevCentral Community! I'm excited to share a project I've been working on recently: **Automating F5 BIG-IP VE Licensing** without needing direct internet access! The project covers: - Retrieving a Dossier automatically via iControl REST API. - Interacting with F5 licensing servers through proxies or offline. - Re-activating licenses post-upgrade using custom scripts. - Full Python 3 support (moving away from BigSuds/Python 2 limitations). ✅ The idea is to help users who need to automate the licensing process, especially for secure or offline environments. I'll be sharing: - Scripts - Use cases - Lessons learned - Tips for real-world deployments If you're interested in automating your BIG-IP licensing process, feel free to follow along! Feedback, ideas, or collaboration is most welcome! 🚀 #F5 #BIGIP #Automation #DevCentral #Python3 #Licensing --- 🔗 Upcoming posts: Detailed code examples, error handling tips, and best practices. Thanks to the amazing DevCentral community for inspiring me to contribute and share! ........................................................................................................................................................................................................................................... import requests import json import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) class BigIPLicenseManager: def __init__(self, host, username, password, registration_key): self.host = host self.username = username self.password = password self.registration_key = registration_key self.base_url = f"https://{self.host}/mgmt/tm/sys/license" self.headers = {'Content-Type': 'application/json'} def get_dossier(self): payload = { "command": "install", "registrationKey": self.registration_key } response = requests.post( self.base_url, auth=(self.username, self.password), headers=self.headers, json=payload, verify=False ) if response.status_code == 200: data = response.json() dossier = data.get('dossier') if dossier: print("[+] Dossier retrieved successfully.") return dossier else: print("[-] No dossier found in response.") return None else: print(f"[-] Failed to retrieve dossier: {response.text}") return None def install_license(self, license_text): payload = { "command": "install", "licenseText": license_text } response = requests.post( self.base_url, auth=(self.username, self.password), headers=self.headers, json=payload, verify=False ) if response.status_code == 200: print("[+] License installed successfully.") else: print(f"[-] Failed to install license: {response.text}") if __name__ == "__main__": # Define your BIG-IP credentials and registration key here bigip_host = "192.168.1.245" bigip_username = "admin" bigip_password = "admin" registration_key = "AAAAA-BBBBB-CCCCC-DDDDD-EEEEE" manager = BigIPLicenseManager( bigip_host, bigip_username, bigip_password, registration_key ) dossier = manager.get_dossier() if dossier: # Print the dossier to manually activate it via activate.f5.com print("\n[!] Submit the following dossier to F5 activation server:") print(dossier) # After getting the license text (offline or from a licensing server) license_text = input("\nPaste the license text here:\n") manager.install_license(license_text.strip())
ashrafelsayelshabany
Apr 30, 2025 Place Water Cooler
131Views
0likes
3Comments
f5 AI Gateway pii-redactor not working
I am testing Ai Gateway by looking at NGINX Modern Apps Docs. I have verified that OWASP LLM 01, 07 are working, but 02 Sensitive Information Configuration does not seem to be working. The demo video also contains Sensitive Information related content. how config Sensitive Information masking for ai gateway? https://clouddocs.f5.com/training/community/nginx/html/class15/module6/module6.html The processor's log looks like this: {"time":"2025-04-11T00:55:04.71766415Z","level":"ERROR","msg":"applying config to component failed, rolling back","error":"failed to check processors: failed to fetch parameters for processor pii-redactor: unable to fetch parameters from url: http://aigw-processors-f5.devopschan.svc.cluster.local/api/v1/signature/f5/pii-redactor, got status: 404"} 2025/04/11 00:55:04 WARN will retry config apply in 5s (1 of 3) {"time":"2025-04-11T00:55:05.368088471Z","level":"INFO","msg":"successfully reported usage data"} {"time":"2025-04-11T00:55:09.767886333Z","level":"ERROR","msg":"applying config to component failed, rolling back","error":"failed to check processors: failed to fetch parameters for processor pii-redactor: unable to fetch parameters from url: http://aigw-processors-f5.devopschan.svc.cluster.local/api/v1/signature/f5/pii-redactor, got status: 404"} 2025/04/11 00:55:09 WARN will retry config apply in 5s (2 of 3) {"time":"2025-04-11T00:55:14.817815787Z","level":"ERROR","msg":"applying config to component failed, rolling back","error":"failed to check processors: failed to fetch parameters for processor pii-redactor: unable to fetch parameters from url: http://aigw-processors-f5.devopschan.svc.cluster.local/api/v1/signature/f5/pii-redactor, got status: 404"} configuration file : ... responseStages: - name: protect steps: - name: pii-redactor ... - name: pii-redactor type: external config: endpoint: http://aigw-processors-f5.devopschan.svc.cluster.local namespace: f5 version: 1 params: threshold: 0.2 # Default 0.2 allow_rewrite: true # Default false denyset: ["EMAIL","PHONE_NUMBER","STREETADDRESS","ZIPCODE"] ... thank you.
chanokkim
Apr 17, 2025 Place Technical Forum
125Views
0likes
1Comment
AWS WAF - Bot Protection Rules
Hello guys, we are looking for this WAF Rule in the AWS Marketplace. We have interest in DDOS protection further, so can anyone tell me if the F5 Bot Protection Rules could work and what "DDOS bot/tools protection means". We will use the WAF for ALB, se we need to cover the layer 7 and not sure which kind of protection this can give us? If some hackers pretend to make a DDOS attack trough our Load Balancer, will be covered? "F5's Managed Rules for AWS WAF offer an additional layer of protection that can be easily applied to your AWS WAF. F5's Bot Protection rules analyze all incoming requests and block any malicious bot activities identified, including DDoS tools, vulnerability scanners, web scrapers, and forum spam tools"
axelfulop
Mar 26, 2025 Place Technical Forum
82Views
1like
1Comment
History Current Connections from Local pool Traffic.
Hi Team, I need to confirm, That we can see the history of current connections from local traffic as below. Can we see at least the last two months' data from the current connections? In GUI or CLI.. Please advice. THanks
Hakam24
Mar 26, 2025 Place Technical Forum
93Views
0likes
1Comment